Welcome to WebmasterWorld Guest from 54.144.79.200

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

MySQL and Quotation marks

     

monolift

4:45 pm on Jul 23, 2002 (gmt 0)

10+ Year Member



I have a page on a client's website that is used to update comapany news.

There are a couple of PHP scripts to update or add news items. The problem is that any time there is a quotation mark in the text of the news item, MySQL interprets it as the end of the string and then ends up returning a syntax error.

Is there anyway to make MySQL ignore the quotation marks inside the query?

I know how to do this when I echo html, but it doesn't seem to work the same way for the MySQL query.

Brett_Tabke

4:47 pm on Jul 23, 2002 (gmt 0)

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Ya, you have to escape all sql queries. Not being the php person around here, not sure how you do that with php.

monolift

4:50 pm on Jul 23, 2002 (gmt 0)

10+ Year Member



Would that be with magic quotes?

I've read a bit about these, but I'm not exactly sure how they work.

jatar_k

4:55 pm on Jul 23, 2002 (gmt 0)

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member



if you just want to escape chars in a large string you can use addslashes() [php.net] and then when you output it you can use stripslashes() [php.net].

monolift

4:55 pm on Jul 23, 2002 (gmt 0)

10+ Year Member



Nevermind I found the answer.

If anyone else was wondering. The quotes are escaped with the addslashes function.

mavherick

4:56 pm on Jul 23, 2002 (gmt 0)

10+ Year Member



well you can use the following before you execute your insert:

$escaped_query = mysql_escape_string($query)
$result = mysql_query($escaped_query)

mavherick

abilstein

4:58 pm on Jul 23, 2002 (gmt 0)

10+ Year Member



A quick word on Magic Quotes. Although it can be very tempting to use, they can prove to be a nightmare on portability. I highly advise against it unless you have a particular reason that they are needed. Standardization is good - magic quotes are not standard. :) Stick with add/strip slashes.

toadhall

5:02 pm on Jul 23, 2002 (gmt 0)

10+ Year Member



You can test to see if magic quotes are on using get_magic_quotes_runtime (0 = off, 1 = on).

addslashes() and stripslashes() are the functions to use to escape double quotes et al.

see:
www.php.net/get_magic_quotes_runtime
www.php.net/addslashes
www.php.net/stripslashes

ggrot

6:14 pm on Jul 23, 2002 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Another thing to note is that if you are taking any user variable and running a sql query with it, you will want to run addslashes first. Even if the input is done on a drop down box w/ two choices. Inputs to a script can always be changed by a malicious user. Imagine if your yes/no input got changed to the string '";DROP *;' where the double qoutes are actually part of the string. The ; would indicate the end of 1 mySql query and the beginning of the next one. While the first one may return invalid, the next one will delete the entire database (oh fun, huh?).

monolift

6:29 pm on Jul 23, 2002 (gmt 0)

10+ Year Member



Thanks for the heads up on that. I will definitely use addslashes from this point on.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month